PGP: on the web, what if everything was tampered?

I am trying to wrap my head around how Public Key Cryptography can really work in a secure manner.

From what I can gather, you go to example.com and download their PGP/GPG Public Key and add it to your keyring. They then send you a text file (or whatnot) signed with their Private Key or Encrypted with your Public Key; and you can verify its authenticity and/or decrypt it.

What if the attacker modified the website in transit to you and signed their own fake key under their name, and you put it in your key ring? Then you go on to validate and decrypt the tampered file assuming it is valid.

I assume I am talking about MITM tampering of the entire web traffic in between, or something similar. I am just unsure how "signing" can protect against that both the key and the data if they were faked in transit.


The scenario you describe requires multipe failures in the Web of Trust:

  1. The attacker would have to compromise the keyserver and put a fake copy of your public key there.
    Presumably if you're paranoid enough to use PGP you would have other people sign your key, so the attacker would have to get those people to sign the fake key (or contaminate an entire key chain).

  2. Other users would have to accept the compromised public key for use
    The truly paranoid only take keys physically from their owners. The regular paranoid (like me) only insist on this when signing a key.

  3. The attacker would have to compromise the data stream (decrypting it - the easy part since it's encrypted with their compromised key), modify it, re-encrypt it and sign it with the sender's private key

    Presumably if you're paranoid enough to use PGP you insist that you receive everything signed.
    Signatures are made with the sender's private key, so either the attacker compromised the sender's key or got you to accept a compromised version of their public key which you'll use to check the fake signature.

There is a wonderful book on this subject - Applied Cryptography - which explains more about the kinds of compromises required for this system to break down.


Generally speaking, you need to be validating keys before you trust them.

In the case that you've outlined, that would mean only trusting the key if it's given to you through a secure channel (validated SSL, for instance), or in some other way that you trust (thumbprint hash communicated through a different means for validation, for instance).


Generally speaking for PGP, this is why there are key signing meetups, so that you can actually see the fingerprint in person, verify the other person's ID, and then get the public key itself online.